cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 10.0.

Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.

SECURITY ISSUE INFORMATION

The cPanel security team identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 20 vulnerabilities in cPanel & WHM software versions 11.54, 11.52, 11.50, and 11.48.

Due to the severity of the issues addressed in this release, cPanel is extending the blackout period on additional information to a full week. Additional information is scheduled for release on January 25, 2016.

]]>EasyApache 3.26.6 released to address multiple CVE security issues!http://www.ndchost.com/blog/easyapache-3-26-6-released-to-address-multiple-cve-security-issues/
Mon, 25 Aug 2014 23:10:06 +0000http://www.ndchost.com/blog/?p=196Read more »]]>cPanel, Inc. has released EasyApache 3.26.6 with PHP versions 5.4.32 and 5.5.16. This release addresses vulnerabilities CVE-2014-3538, CVE-2014-3587, CVE-2014-2497, CVE-2014-5120, CVE-2014-3597, CVE-2014-4670 and CVE-2014-4698. We encourage all PHP 5.4 users to upgrade to PHP version 5.4.32 and all PHP 5.5 users to upgrade to PHP version 5.5.16.

AFFECTED VERSIONS

All versions of PHP 5.4 before 5.4.32.
All versions of PHP 5.5 before 5.5.16.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-3538 – MEDIUM

PHP 5.4.32
Fixed bug in the Fileinfo module related to CVE-2014-3538.

PHP 5.5.16
Fixed bug in the Fileinfo module related to CVE-2014-3538.

CVE-2014-3587 – MEDIUM

PHP 5.4.32
Fixed bug in the Fileinfo module related to CVE-2014-3587.

PHP 5.5.16
Fixed bug in the Fileinfo module related to CVE-2014-3587.

CVE-2014-2497 – MEDIUM

PHP 5.4.32
Fixed bug in the GD module related to CVE-2014-2497.

PHP 5.5.16
Fixed bug in the GD module related to CVE-2014-2497.

CVE-2014-5120 – MEDIUM

PHP 5.4.32
Fixed bug in the GD module related to CVE-2014-5120.

PHP 5.5.16
Fixed bug in the GD module related to CVE-2014-5120.

CVE-2014-3597 – MEDIUM

PHP 5.4.32
Fixed bug in the SPL module related to CVE-2014-3597.

PHP 5.5.16
Fixed bug in the SPL module related to CVE-2014-3597.

CVE-2014-4670 – MEDIUM

PHP 5.4.32
Fixed bug in the SPL module related to CVE-2014-4670.

CVE-2014-4698 – MEDIUM

PHP 5.4.32
Fixed bug in the SPL module related to CVE-2014-4698.

SOLUTION

cPanel, Inc. has released EasyApache 3.26.6 with updated version of PHP 5.4.32 and PHP 5.5.16 to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of Apache.

SOLUTION
cPanel, Inc. has released EasyApache 3.26.5 with an updated version of PHP 5.3.29 and a patch to libxml2 to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of Apache.

SOLUTION
cPanel, Inc. has released EasyApache 3.26.4 with an updated version of the mod_perl Apache module to correct this issue. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of Apache.

]]>CentOS 7 is now available!http://www.ndchost.com/blog/centos-7-is-now-available/
Wed, 30 Jul 2014 21:38:20 +0000http://www.ndchost.com/blog/?p=188We’re pleased to announce the availability of CentOS 7 on all of our dedicated and cloud servers. Cloud customers can easily deploy these new distributions using the cloud server manager within the customer portal. Dedicated server customers who would like a fresh install should contact our support department to schedule the installation.
]]>EasyApache 3.24.22 Released to address PHP vulnerabilitieshttp://www.ndchost.com/blog/easyapache-3-24-22-released-to-address-php-vulnerabilities/
Tue, 01 Jul 2014 01:54:05 +0000http://www.ndchost.com/blog/?p=182Read more »]]>cPanel, Inc. has released EasyApache 3.24.22 with PHP 5.4.30 and 5.5.14. This release addresses multiple PHP vulnerabilities in the PHP core code and the Fileinfo, Network, and SPL modules. We encourage all PHP users to upgrade to PHP 5.4.30 and PHP 5.5.14.

AFFECTED VERSIONS

All versions of PHP 5.4 before 5.4.30.
All versions of PHP 5.5 before 5.5.14.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

cPanel, Inc. has released EasyApache 3.24.22 with an updated version of PHP 5.4 and PHP 5.5 to correct this issue. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of PHP.

]]>ProVPS.com gets a facelift!http://www.ndchost.com/blog/provps-gets-a-face-lift/
Thu, 12 Jun 2014 01:36:55 +0000http://www.ndchost.com/blog/?p=178Some of you may or may not know but ProVPS.com was a site we launched back in 2004 that was dedicated to our virtual private server line. After almost 10 years the ProVPS.com site has gotten a face lift and boy did it need it! Check it out! http://www.provps.com
]]>EasyApache 3.24.19 released to address CVE-2014-0237 and CVE-2014-0238http://www.ndchost.com/blog/easyapache-3-24-19-released-to-address-cve-2014-0237-and-cve-2014-0238/
Mon, 02 Jun 2014 23:38:52 +0000http://www.ndchost.com/blog/?p=168Read more »]]>cPanel, Inc. has released EasyApache 3.24.19 with PHP versions 5.5.13 and 5.4.29. This release addresses the PHP vulnerabilities CVE-2014-0237 and CVE-2014-0238 with fixes to bugs in the fileinfo extension. We encourage all PHP users to upgrade to PHP version 5.5.13 or PHP version 5.4.29.

AFFECTED VERSIONS

All versions of PHP version 5.5 before 5.5.13.
All versions of PHP version 5.4 before 5.4.29.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

cPanel, Inc. has released EasyApache 3.24.19 with the updated versions of PHP 5.4 and 5.5 to correct these issues. Unless you have disabled EasyApache updates, EasyApache will include the latest versions of PHP automatically. Run EasyApache to rebuild your profile with the latest version of PHP.

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having security impact levels ranging from Minor to Important.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 52 vulnerabilities in cPanel & WHM software versions 11.44, 11.42, and 11.40.

Additional information is scheduled for release on May 26th, 2014.

]]>CloudLinux now available on our cloud servershttp://www.ndchost.com/blog/cloudlinux-now-available-on-our-cloud-servers/
http://www.ndchost.com/blog/cloudlinux-now-available-on-our-cloud-servers/#commentsTue, 20 May 2014 21:41:52 +0000http://www.ndchost.com/blog/?p=159Read more »]]>

We are pleased to announce that CloudLinux 6 is now available on our cloud server platform. CloudLinux is another spin off of the popular RHEL/CENTOS operating system but with stability, security, and density in mind. CloudLinux is not a free operating system and does require a monthly license. We can provide this license for $12.00 per month. If you are running an existing CentOS 6 server and would like to convert to CloudLinux this can also be done easily with a simple conversion script written by the CloudLinux Team. The only downtime required for this conversion is for the reboot required once the conversion has finished. Further information regarding CloudLinux can be found at www.cloudlinux.com or you can contact our team directly. Additional information can also be found below!

Why CloudLinux?

Created in 2009, CloudLinux became the first commercially supported OS specifically designed for shared hosting providers. In its four years in the marketplace, CloudLinux has received numerous awards and has been praised by hundreds of shared hosting providers for resolving their stability problems. Web Hosting Search called it “The perfect OS for shared hosting.” It is no wonder that today more than 1,000 companies successfully use CloudLinux on their servers. It is installed on more than 10,000 servers worldwide. CloudLinux is a proven solution for shared hosting that drastically improves server stability and security, increases density, decreases support costs, and prevents churn. It sounds like magic, but CloudLinux delivers these benefits by introducing the latest technologies specifically crafted for shared hosting into its kernel. Combine these features with all its tools and integrate them with major control panels and it becomes a must-have for any shared hosting provider.

CloudLinux benefits:

Isolates users from each other to avoid the “bad neighbor effect”

Prevents users from seeing configuration files and other private information

Allows end user to select PHP versions 4.4, 5.2, 5.3, 5.4, and 5.5

Gives the power to monitor and control limits such as CPU, IO, Memory, and others

Helps restrict and throttle MySQL database abusers

Compatible with all major control panels

Interchangeable with CentOS and RHEL.

CloudLinux Technology

Lightweight Virtual Environment (LVE) is a kernel-based isolation technology that limits and controls the amount of resources (CPU, memory, number of processes, and IO) available to a specific user. This allows for improved stability and enhanced reliability. LVE will control web, cron jobs, and shell access, creating a protective bubble around each customer and preventing each customer from abusing the server.

CageFS extends LVE isolation to each user’s file system. Through virtualization, each user’s file system is effectively isolated into its own environment to prevent one user from seeing any other users or their files on the server. This creates a new level of security, making it much more difficult for hackers to attack, deface, or steal data from a shared hosting server. Additionally, it guarantees no SUID scripts are available to the end customer, preventing the majority of privilege escalation attacks. CageFS provides all of this while also providing a fully functional environment for web, cron jobs, and shell.

PHP Selector: With CloudLinux, our customers will have the flexibility to choose the PHP version they need. That includes versions 4.4, 5.2, 5.3, 5.4 and 5.5 as well as more than 50 PHP extensions and the ability to adjust php.ini settings.

MySQL Governor monitors MySQL usage and detects abusers, restricting their connectivity if they start using more than their allocated resources. This tool comes with a utility to view current usage that provides unprecedented visibility of and control over MySQL usage, significantly diminishing the number of support issues caused by MySQL abuse.

SecureLinks is a kernel-level technology that prevents all known symbolic link attacks, which enhances the security level of the servers even further.

All these features, in addition to regular technical updates and exceptional 24/7 support, make CloudLinux a great value.